Channels

Services

Hotmail to ban common passwords

Microsoft has announced that it plans to prevent users of its Windows Live Hotmail email service from using common passwords. Accounts with common passwords are easy targets for hijackers, who often use compromised accounts to send out spam or even launch phishing attacks.

The change will mean that users will have to choose a password that is harder to guess when they sign up for a new account and also when existing users change their password. According to Dick Craddock, Group Program Manager for Windows Live Hotmail, current users with weak passwords may, "at some point in the future, be asked to change it to a stronger password". The new feature "will be rolling out soon".

Craddock notes that, should an account be compromised, it is very often the victim's friends who find out before they do. Because of this, Microsoft is introducing a new "My friend's been hacked!" feature that lets users report that a friend's account has been taken over by flagging any spam or fraudulent mail they receive.

In Hotmail, users can report friend's accounts by clicking "My friend's been hacked!" under the "Mark as" menu
Source: WindowsTeamBlog.com
The report is passed onto the service's "compromise detection system" where it will be used, along with other information, to assess whether the account in question has in fact been hijacked. Once the account has been flagged as compromised, the hijacker will not be able to access it. The next time the account owner attempts to log in, they will be prompted to take back control of the account using the account recovery process.

While the new feature initially only allowed users to report Hotmail accounts, it has now been extended to allow Hotmail users to report email from Yahoo! and Gmail accounts as well. These reports are then passed to the third-party providers so that they can work to recover hacked accounts.

"We've had this feature turned on for only a few weeks, and we’ve already identified thousands of customers who have had their accounts hacked and helped those customers reclaim their accounts. And we’ve found it to be very effective and fast. Accounts that you report as compromised are typically returned to the rightful owner within a day", Craddock said in a post on the Windows Team Blog.